Password Manager insecure import ▫

Hello, the function of importing passwords via .csv file in an online environment is VERY insecure. Is there no way to import in an offline environment? It seems to me the only flaw in your implementation, which besides that is sensational!

Hi @o_estrangeiro

All files are encrypted using keys derived from your Trezor. It is not possible for anyone else to access your passwords nor to make any edits.

Currently, there is no such option to use an offline environment.

Hi @pavel , thanks.

I am aware of Trezor’s extremely strong security AFTER importing, my concern is in the process… when generating a .csv file, which is a plain text file and handling it in a vulnerable online environment, there is a huge possibility of malicious code get those passwords.

If you are referring to Export and import of passwords then you are right that the exported CSV file is in plain text and it is not encrypted, as declared.

As there are currently other projects with a higher priority, the whole password manager project will be re-evaluated. Till then, no further development is expected.

No further development?

This was one of the features that led me to purchasing the Trezor!

How long does an import usually take?

Couldn’t get extension to work with Google account, I ended up having to create a dropbox account.

Now I’m stuck with an import which seems to be stuck at saving…now i know why, the app is blocked via google sign in.

Basically I cant use the password manager.

Hi @echosix

Unfortunately, during the time, Google has changed some T&C for Chrome apps which is why the Drive integration does not work at the moment.

Use this guide to migrate your files from Drive to Dropbox: User manual:Password Manager - Trezor Wiki

Speaking of the whole password manager project will be re-evaluated as mentioned.

i understand that the main focus of the trezor is crypt (as should be). However plz i emplore that you don’t abandon the password manager. This saves people the trouble from ordering a yubikey when the Trezor can be used for both password manager AND also for FIDo2 authentication (tested using google account as an example). This is a brilliant additional usage for the trezor which adds even more value for getting one. Why get a yubikey when the trezor can do both crypto AND fido2/password manager.

Hopefully you expand your dev teams so you can also work on this part of the trezor as well.

If possible, a Trezor integration with keepass would be awesome if possible.

Hi @mooglestiltzkin

Thank you for your feedback and for sharing your thoughts. I will definitely pass your message to our product team.

1 Like

ty. and if there is any hardware beta test opportunities i’d be interested to help. i bought a ledger nano x and a trezor model t cauz i like to test out these hardware xd.